1xEV-DO Web Paper

1xEV-DO Security
Wireless and Wireline Security
As the Internet is used for transmission of sensitive information, it is very important to have
secure connections. This is true in case of both wireline and wireless Internet. There are a
number of security measures that have already been developed for wireline Internet that are also
applicable to wireless Internet.

First lets look at the contrast between security requirements for voice and Internet services in
general. In order to eavesdrop on a wireline voice call, one would have to access the physical
wires of PSTN. Voice traffic is rarely encrypted due to the fact the PSTN networks are relatively
secure. Although analog transmissions are easily decipherable, there are physical constraints in
place on neighborhood junction boxes and circuits. This provides a sense of security to most
consumers, who transmit sensitive information over the wireline voice network.

In a cellular voice network, again the PSTN portion of the network is considered secure from
external access. In some instances, such as government applications, the wireless portion of the
cellular voice network may be further protected with encryption. However, in contrast to analog
wireless systems, CDMA is inherently very secure, and typically CDMA voice services intended
for consumers are not encrypted.

Looking back at the wireline Internet, it is relatively easy to access and monitor other Users
traffic. Switched wireline environments allow traffic destined to all users to be easily monitored
from a Users computer, and shared environments allow all network traffic to be monitored.
This is the reason many security mechanisms have already been built into Web Browser, web
server applications (i.e., Secure Socket Layer, Transport Layer Security) and Operating system
have integrated VPNs (i.e., PPTP, L2TP, IPSEC). These security mechanisms have been
heavily scrutinized by the security experts worldwide and have proven to be robust and secure.
Because each link in the Internets distributed architecture is equally vulnerable, end-to-end

Copyright 2003, QUALCOMM Incorporated

1xEV-DO Web Paper

encryption is required for secure Internet connections (Diagram 1). In addition, the User is
authenticated and authorized by the Internet Service Provider (ISP).

Normal Packet Path

No Protection

1xEV-DO
Airlink

Wireless ISP

Internet
Server

ISP Firewall allows all

data to and from Users

VPN Applied
Data is Protected
1xEV-DO
Airlink
Wireless ISP

Intranet
Corp.
LAN

Internet

ISP Firewall allows only authenticated User

traffic and the VPN encrypts the data

Firewall

Server

Diagram 1

This model can easily be extended to the wireless realm, and all the same well-tested security
mechanisms, can be used in cellular wireless Internet systems (Diagram 2). It is important to
note that once again end-to-end encryption is required. If only the airlink is encrypted, and not
the remaining paths through the Internet, then the Users traffic is still vulnerable and added
protection on the airlink has been circumvented. It is extremely important to utilize VPN
techniques that encrypt and protect the entire path.

Copyright 2003, QUALCOMM Incorporated

1xEV-DO Web Paper

Internet
Air-link Encryption

Remote Server

1xEV-DO

Wireless ISP
Local Server

Network or Application
Layer

End-to-End Encryption

Network or Application
Layer

Diagram 2

Following the wireline Internet model, benefits providers by allowing the use of the same welltested security mechanisms. It has been shown in the past that new security mechanisms devised
by GSM and Wireless LAN communities have not been as successful, since they have not had
the same level of testing and scrutiny as the well-established Internet security protocols.

1xEV-DO Security
1xEV-DO, the IS-856 standard, offers authentication, authorization and the capability to add
encryption mechanisms. The standard provides provisions such as protocol type and crypto-sync
to define an encryption protocol to the airlink. The provisions in the IS-856 standard that allow
encryption to be added, provide the manufacturers flexibility to encrypt all the information
transferred over the airlink or only specific channels. This is left to the implementers discretion.

1xEV-DO Air-Link Authentication

The 1xEV-DO System provides strong authentication mechanisms at the air-link layer that are
effective against theft-of-service attacks. The airlink authentication verifies that the two entities,
the Radio Access Network RAN and the 1xEV-DO device are who they say they are. The
Diffie-Hellman Exchange protocol requires the BSC function within the RAN and the 1xEV-DO

Copyright 2003, QUALCOMM Incorporated

1xEV-DO Web Paper

Access Terminal to exchange ephemeral keys using the Diffie-Hellman algorithm.

The BSC

and RADIUS server derive a session key (referred to as, AirInterfaceSessionKey), then exchange
the keys. If the keys match, then the PPP and LCP negotiation is initiated. The device passes
its Username to the RAN where the RADIUS server authenticates the device. Upon a positive
authentication the BSC binds the AirInterfaceSessionKey to the IMSI and the RADIUS server
binds the NAI to the IMSI (Diagram 3). If the User is not located at their home network, the
serving carriers RADIUS server proxies with the Home Networks RADIUS server to
authenticate the device (See section: Authentication for Roaming).

Once the device is

authenticated on the airlink it initiates the User Authentication process.

The session keys are

good for the lifetime of each session. New keys are regenerated with every new session.

1 x E V - D O A i r lin k A u t h e n t i c a t io n

BSC

E a c h en d -p o in t
b e g in s w it h a
P r iv a t e K e y

R A D IU S
S e rv e r

R A D IU S S erver
sto r e s
P r iv a t e K e y s

E x c h a n g e P u b lic K e y

E x c h a n g e P u b lic K e y

E xchange
A ir I n t e r f a c e S e s s i o n K e y
(S h a r e d S ec ret)

E x change
A ir I n t e r f a c e S e s s i o n K e y
(S h a re d S ec ret)

P P P a n d L C P n e g o t ia t io n s

P P P a n d L C P n e g o t ia t io n s
P o s it iv e A u t h :
B S C b in d s
S e s s io n K e y t o
IM S I

C H A P n e g o t i a t io n :
NAI
d e v ic e @ w ir e le s s is p .c o m

C H A P n e g o t i a t io n :
P o s it iv e A u t h e n t ic a t io n R A D IU S b in d s N A I to IM S I

A i r li n k A u t h e n t i c a t io n C o m p l e t e

Diagram 3

Copyright 2003, QUALCOMM Incorporated

1xEV-DO Web Paper

User Authentication and Authorization

After the device is granted access to the RAN the User is authenticated with CHAP, and the PPP
and LCP negotiations are established between the device and the PDSN (

Diagram

4).

After the User Authenticates on the network, information regarding the Users Authorized
Services is sent from the RADIUS server to the PDSN in the form of an Access-Accept
message. The Users services have now been authorized and they are free to use the network in
accordance with their Authorized RAN services.

User Authentication and Authorization

PDSN

RADIUS
Server

User Authentication Starts

PPP and LCP negotiations

CHAP Negotiation:
NAI and Password

PPP and LCP negotiations

Positive
Authentication

CHAP Negotiation:
NAI and Passw ord matches,
then Positive Authentication

PDSN allow s
Authorized
Services

Authorization Process:
RADIUS server forwards
the Users Authorized
Services to PDSN

Diagram 4

Copyright 2003, QUALCOMM Incorporated

1xEV-DO Web Paper

Authentication for Roaming

The RADIUS server supports RADIUS proxy operation (Diagram 5) and can be used for
authenticating in a roaming situation. RADIUS proxy allows the serving RADIUS server to
forward all messages to the home RADIUS server based on the Realm in the Users identifier.
Therefore, all RADIUS Authentication, Authorization and Accounting messages for a User
homed in a different Access Network are automatically forwarded by the serving Access
Network to the home Access Network.
Home System
1xEV-DO

Wireless ISP
RADIUS Server
(Users Profile)

Internet

1xEV-DO

Wireless ISP
Roaming
Subscriber

Serving System

RADIUS Server
(Proxy Mode)

Diagram 5

Copyright 2003, QUALCOMM Incorporated